Kubernetes revealed a security vulnerability (CVE-2020-8559) in kube-apiserver. Attackers can intercept certain upgrade requests sent to the kube-apiserver on a node. The attackers then send a redirect response to clients that use the same credentials carried in the intercepted requests. As a result, subsequent requests from these clients are redirected to another node. This leads to privilege escalation from a compromised node. This topic describes the impacts of CVE-2020-8559, the affected kube-apiserver versions, and the suggested solutions for prevention and mitigation.

Affected versions

CVE-2020-8559 is discovered in the following kube-apiserver versions:
  • kube-apiserver 1.18.0 to 1.18.5 (fixed in kube-apiserver v1.18.6)
  • kube-apiserver 1.18.0 to 1.18.5 (fixed in kube-apiserver v1.18.6)kube-apiserver 1.17.0 to 1.17.8 (fixed in kube-apiserver v1.17.9)
  • kube-apiserver 1.16.0 to 1.16.12 (fixed in kube-apiserver v1.16.13)
CVE-2020-8559 impacts services in the following scenarios:
  • A Kubernetes cluster is used by multiple tenants and nodes that belong to different tenants are isolated.
  • Multiple Kubernetes clusters share the same certificate authority and authentication credentials.

Impacts

  • The apiserver proxy built into the kube-apiserver can redirect upgrade requests back to clients. Attackers can intercept certain upgrade requests sent to the kube-apiserver on a node. The attackers then send a redirect response to clients that use the same credentials carried in the intercepted requests. As a result, subsequent requests from these clients are redirected to another node. This leads to privilege escalation from a compromised node. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 6.4. This indicates that CVE-2020-8559 is a medium-severity vulnerability.
  • If multiple clusters share the same certificate authority certificates and authentication credentials, attackers can exploit this vulnerability to attack other clusters. In this case, this vulnerability is a high-severity vulnerability.

Prevention and mitigation

To defend against cross-cluster attacks, clusters of Alibaba Cloud Container Service for Kubernetes (ACK) use separate certificate authorities. Credentials are completely isolated among clusters.

To defend against cross-node attacks inside a cluster, we recommend that you perform the following steps:
  • Enable audit log for kuber-apiserver. If a response code between 300 and 399 is returned to any of the following requests, it may be evidence of an attack.
    • pods/exec
    • pods/attach
    • pods/portforward
    • Any proxy resources, such as pods/proxy and services/proxy
  • Revoke the kubeconfig credentials that may be disclosed, and remove unnecessary Role-based access control (RBAC) permissions from roles that are bound to the following resources: pods/exec, pods/attach, pods/portforward, and all proxy resources.